Skip to main content
  • The Wellington City Council (WCC) wanted to deliver quality outcomes without breaking the bank. Find out how Planit’s fast and flexible resources helped WCC achieve this goal.

this is a test Who We Are Landing Page

INSIGHTS / Articles

How Do I Comply With the New Privacy Act?

 9 Dec 2020 
INSIGHTS / Articles

How Do I Comply With the New Privacy Act?

 9 Dec 2020 

Instead of being afraid of the new Privacy Act 2020 in New Zealand, we should see it as an opportunity to protect businesses and organisations. The implications of new Act should also not be just limited to New Zealand - it also serves as a reminder to be compliant for international markets as well.

Privacy regulations worldwide are all based on the same ideal of collecting and securing appropriate personal and sensitive data correctly. This means, for a little extra effort, you can also become compliant with regulation in other territories, such as:

  • General Data Protection Regulation (GDPR). This European data privacy and security law applies to a market of 446 million people. In the first 20 months of the law, non-compliance costs hundreds of companies more than €114 million in fines.

  • Health Insurance Portability and Accountability Act (HIPAA). This US standard is designed to protect sensitive patient data in a market of 328 million people. Non-compliance costs companies an average penalty of US$1.2 million per violation.

  • California Consumer Privacy Act of 2018 (CCPA). Another US-centric law that protects the rights of consumers personal data. Penalties can range from $2,500 for a non-intentional violation to $7,500 for an intentional one.

All the above could be addressed when making your company compliant with the new NZ Privacy Act.

The new Act came into effect on 1 December 2020, and some changes it introduced include:

  • New privacy breach notification regime. If a privacy breach has caused (or is likely to cause) serious harm, the company must notify the Office of the Privacy Commissioner and affected individuals as soon as possible.

  • Compliant notices. The Privacy Commissioner can issue compliance notices to organisations to require them to do or stop doing something.

  • Enforceable access directions. Privacy Commissioner can direct organisations to provide individuals access to their personal information in line with principle 6.

  • Disclosing information overseas. New principle 12 to regulate the way personal information can be sent overseas.

  • The extraterritorial effect. Any overseas organisation that is “carrying on business” in New Zealand will be subject to the Act’s privacy obligations.

  • New criminal offenses. Up to $10,000 fine for a person impersonating or misleading someone to access the information they are not entitled to see, or an organisation destroying data after a request is made to access it.

  • Principle 1 Change. Organisations can now only collect identifying information if it is necessary.

As you can see, the new act has more enforceable actions and fines. This means organisations need to review their current privacy policies and data collection processes to ensure compliance.

What you should be doing now

Although the new Act provides some worthwhile guidelines to follow, there are some good privacy practices you could be doing because they are the right thing to do:

People and organisations own their data!

It is important to remember you are just a custodian of private information. It is not yours to sell or pass on without explicit permission from the person or organisation.

What personal information are you holding?

Part 3, Principle 1 of the Privacy Act clearly states you can only collect personal information for a lawful purpose where that data is needed to fulfill that purpose. Collecting or holding personal or organisational data that is not required is not allowed.

Data classification, storage, and access control

To keep data safe, you must classify all data to ensure correct handling and storage.

ISC2 have four classes types of data:

Class Governmental classification Non-Governmental Classification Potential Damage
Top Secret Confidential / Proprietary Exceptionally Grave Damage

Private Serious Damage
Confidential Sensitive Damage
Public Public No Damage

For each data classification above there should be a policy for:

  • Where data can be stored. Given a lot of data is in the Cloud, do you have to host it in New Zealand? Or can it be anywhere in the world?

  • Where it is used?

  • Security and access controls. Who can see the data?

  • Are audit trails needed for those who accessed the data from where and when?

By classifying the data making policy on each class, you can protect your organisation from unintended breaches of the Privacy Act.

What data do you not retain?

There is a difference in what you need to have to onboard a customer versus maintaining a relationship with them. Some considerations are:

  • Do you need to retain ID documents and other sensitive data to identify the person/organisation and onboard them?

  • Do you need to keep personal or sensitive data related to maintenance of the relationship?

  • Do you need to retain data for past customers and employees?

If you do not need it, then the best practice is to purge it.

Retention period of data

As per the point above, all personal and other organisations' data need to have a prescribed retention period. When you assess and classify the data that you hold, a good practice is to set a retention period based on how long you need it. Holding any data longer than needed makes any event of a breach worse than it needs to be.

Act upon your privacy

As the above GDPR and HIPAA examples demonstrate, ignorance is not a defense in the view of the law. Regulators are not shy of using their powers and available enforcement options to ensure compliance.

With the new Privacy Act enacted, the time to act is now. If you are not sure where to start, begin by going through your datasets and identifying anything that might be in non-compliant with the new Privacy Act.

Good housekeeping practices, however, are no substitute for professional guidance and advice. Find out how our security expertise can help you prepare for the new Privacy Act and any other new regulation that may come along.

Protect Your Data and Reputation

We can help you protect your valuable assets and brand reputation. Following an international best practice methodical approach, we provide you with in-depth reports into weaknesses that attackers could exploit in your specific systems. We can then work with you to close these loopholes.
Find out how Planit’s three-pronged approach to security testing can help you protect your systems by addressing development, use, and infrastructure.


Find out more

Get updates

Get the latest articles, reports, and job alerts.